Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 2


Published on

As companies globalize and consolidate their SAP systems, they face an increasing need to control access to sensitive data based on fine grained user profiles. Traditionally, companies have managed this access by defining fine grained roles, leading to an explosion of roles that are inconsistent and hard to manage.

In this webinar series, attendees will learn:
- The key trends driving role explosion
- The challenges of role explosion
- Example use cases that drive role explosion
- How attribute-based access control (ABAC) can alleviate the problem

Attendees will also see demonstrations of use cases illustrating how role explosion happens, and how ABAC can help reduce role explosion.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • With this, the idea is to use just one simple role and instead use the attributes directly in providing access to different systems for different groups of users. That way we are not tying access controls to the user role but dynamically taking a decision based on the attributes to enforce controls on resources.
  • We can achieve the same level of organizational controls using the attributes such as Company and Department attached to the user and mapping that to the organization attributes of the resource being accessed. With dynamic matching of attributes, we can achieve the same result with just 50 functional role and 1 policy. The policy will match appropriate resource and user attributes to provide access to users for a specific resource.Even if we have to extend the requirements to a finer grained level such as user location and export controlled data, it is just another attribute that needs to be matched in a policy, not create another set of roles for different types of citizens.This results in reducing the number of roles created and managed by a minimum of 97% in the best possible scenario we discussed so far with Roles. That’s a huge reduction in cost and management time with 97% less roles to manage and maintain.
  • We not only minimize the issues we have seen with role explosion with ABAC, but also reap additional benefits through ABAC. These a few I have seen in a lot of our customers business environment.Finer grained controls: need to extend access controls beyond coarse organizational authorizations like Plant, company code, cost center etc., Ability to read dynamic attributes of resources and users in this ever-changing business environment while making policy decisions for access cotrols.Use internal as well as third party attribute information to allow external users to access your information, yet provide appropriate access controls.Ability to use external data classification systems to understand the resource attributes instead of extending the master data structures to implement custom authorization requirementsAnd to be able to achieve all this with flexibility, scalability and minimum effort to manageLets look at how this is possible in a real life example..
  • Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 2

    1. 1. © 2005-2013 NextLabs Inc. Managing Role Explosion with Attribute-based Access Control: “Attributes” is the new Role Sandeep Chopra Director of Product Management NextLabs, Inc.
    2. 2. © 2005-2013 NextLabs Inc. Slide 2 2-Part Series Part 1 – More Roles than Employees Trends and drivers for role explosion, cost of role management Demonstrations of typical use cases that drive role explosion Part 2 – “Attributes” is the new Role Basics of ABAC and how it can help reduce role explosion Demonstrations of typical use cases and how ABAC works.
    3. 3. © 2005-2013 NextLabs Inc. Slide 3 Agenda Presentation Review of Last Week Attribute Based Access Control Information Control Policies Use Cases Demonstration Examples Question and Answers
    4. 4. © 2005-2013 NextLabs Inc. Slide 4 Authorization Layers
    5. 5. © 2005-2013 NextLabs Inc. Slide 5 Challenge – Exploding Access Complexity Companies have multiple access variables • Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA) • Multiple IP Control Agreements (e.g. PIEA, NDA) • Multiple Applications and Systems (e.g. PLM, ERP, SCM) Traditional role based access control (RBAC) explodes based on the number of variables Number of Access Variables RequiredAccessRules
    6. 6. © 2005-2013 NextLabs Inc. Slide 6 What are my Data Authorization options? Data Authorization Decision Map
    7. 7. © 2005-2013 NextLabs Inc. Slide 7 ABAC: Integrating Identity, Content, and Context Attributes Identity User Recipient Internal and External Context Computer Network Location Channel/Application Connection Time Content Data Type Metadata Custom Tags Data Content Identity ContentContext “Who is using or sharing what data, how, why and with whom”
    8. 8. © 2005-2013 NextLabs Inc. Slide 8 Attribute-Based Policies Allow only US Engineers to access Project X Specifications from US Offices Subject Location = US AND Department = Engineering Resource Project = Project X AND Type = Specification Environment Network Address = 192.168.* Attribute-based rule retails Business intent. Provide fine-grain, data level control.
    9. 9. © 2005-2013 NextLabs Inc. Slide 9 One Simple Role – Using ABAC PolicyusingAttributes BW
    10. 10. © 2005-2013 NextLabs Inc. Slide 10 Roles Vs. Attributes 97% less roles using Attributes Scenario Derived Role Enabler Role ABAC 50 Functional roles & 5 Subsidiaries 300 total roles:  50 Functional roles  5 derived company code  35 derived Plants 56 roles:  50 Functional roles  1 enabler template – Company code  1 enabler roles for Plant 50 Functional roles 35 Plants under 5 subsidiaries 1840 Roles  50 x 35 = 1,750  1,750 + 5+ 35 + 50 = 1840 Roles 1802 Roles  50 Functional roles x 35 plants = 1,750  1750 + 50 + 2 = 1802 51 Authorizations  50 Functional roles  1 NextLabs policy Benefit Baseline 5% less than Derived roles 97% less than Enabler Roles or Derived Roles 1Company 5Subsidiaries 7 Plants/Subsidiary = 35 Plants
    11. 11. © 2005-2013 NextLabs Inc. Slide 11 Key Characteristics of Attribute Based Policy Finer grained, automated controls Dynamic Enforcement External Identity Attributes External Resource Attributes
    12. 12. © 2005-2013 NextLabs Inc. Slide 12 About NextLabs NextLabs Entitlement Manager is an SAP-Endorsed Business Solution Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and more secure internal and external collaboration Ensure proper access to applications and data Facts Locations HQ: San Mateo, CA Boston, MA Hangzhou, PRC Malaysia Singapore 40+ Patent Portfolio Major go-to-market Partners: IBM, SAP, HCL-AXON, Hitachi Consulting “We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.” - Keng Lim, Chairman and CEO NextLabs Overview
    13. 13. © 2005-2013 NextLabs Inc. Slide 13 Thank You! Thank you for viewing a preview of Part 2 of our Managing Role Explosion with Attribute-Based Access Control webinar series. To watch our complete recording, CLICK HERE. In the remainder of this webinar, you will see typical use cases of Attribute Based Access Control and a Demo of how it works.